Why is Apple's QuickTime and iTunes 'most exposed to threats'?

Due to Secunia's latest quarterly reports Apple is getting a lot of bad press for being the most vulnerable vendor. This post is a quick summary of my investigation into why this is the case.

In the beginning ...

In Secunia's Q2 2015 report iTunes was sitting in 2nd place for most exposed software, whilst iTunes didn't even make it into the 'Top 10'. Fast forward to Q3 2015 and QuickTime has claimed 1st place, and iTunes has climbed the charts to take 2nd place.

The Secunia report and the following articles identified that there was an increase, but not why. I wanted to understand the reasons behind this. After a few emails with Apple Product security I think I've got a reasonable explanation for why. In three words - "Unsupported Operating Systems". In this instance 'Unsupported' doesn't necessarily mean old versions, as we'll discover, newer versions of Windows also lead to problems.

... there was QuickTime ...

I've already written a post about why I believe QuickTime's position has increased. To quickly summarise, users of newer versions of Windows are not experience when it comes to updates and upgrades.

Users of Windows 8 and above do not always receive updates via QuickTime's update mechanism or via the Apple Software Update tool. When I asked Apple Product Security about this I received the following response:

Hello Alton,

Thank you for contacting Apple Product Security.

QuickTime 7.7.8 requires Windows 7 or Windows Vista.

Regards,

You can also see on the below screenshot from the Apple website that QuickTime 7.7.8 is for Windows Vista or Windows 7.

Mitigation: If you have Windows 8 or above the update don't rely on the Auto-update mechanisms, instead download the update directly from the Apple website.

... and then there was iTunes ...

iTunes's skyrocketing to 2nd position in Secunia's 'Top 10' was a bit of a surprise to me. It seemed odd that a product would suddenly appear on the list (rather than slowly progress up the list) which made me investigate if there was any major changes during Q3 2015. It turns out Apple ceased support for Windows XP and Vista when they released 12.2 at the end of June 2015.

You can also see on the below excerpt from the Apple website that iTunes 12.3.1 is for Windows 7 and above.

Software:

Windows 7 or later

Users with XP or Vista weren't able to upgrade beyond 12.1 until September 2015 when a special update (12.1.3.6) was released to provide support for iOS 9. As it was released on the same day as the current version (12.3.0.44) I was curious to see if the vulnerability fixes in 12.3 were backported to the 12.1.x branch of iTunes. Once again I reached out to Apple and they responded per below:

Hello,

Thank you for contacting Apple Product Security.

The security updates in iTunes 12.3 were not included in iTunes 12.1.3.6

Regards,

Apple Product Security

Support for iOS 9 appears to be very important for Apple, whilst security updates aren't.

Secunia's tools correctly report that iTunes 12.1.3.6 is vulnerable, however it still advises users to upgrade to 12.3.1 even though this isn't possible on XP and Vista machines. I've discussed this with Secunia and it looks like we'll be waiting until iTunes 13.x is released until 12.1.3.6 is deemed to be unsupported and reflected in their guidance to users of their PSI tool.

Mitigation: If you have Windows XP or Vista it's time to upgrade your operating system. Aside from vulnerabilities in Windows XP we're likely to see more and more applications cease support on these older operating systems.

For example Google Chrome will cease support for Windows XP as well as Windows Vista, Mac OS X 10.6, 10.7, and 10.8 from April 2016.

... and it wasn't too Good (AKA the conclusion).

I believe that the increase of Apple to 1st and 2nd place in most vulnerable programs is because of Apple's fragmented approach to supporting QuickTime and iTunes on Windows. It's likely QuickTime's increased position is because of problems with their update mechanisms on newer versions of Windows, whilst the new position for iTunes is caused by older versions of Windows no longer being supported.

To try and prove this I've asked Secunia for a breakdown of the OS version for those machines with vulnerable versions of QuickTime and iTunes, however I haven't had a response as yet.

It looks like the way to get the support from Apple on Windows is to use Windows 7, despite newer versions being available.

Windows 7 is still supported by Microsoft, however some users prefer the latest versions so that they have the latest exploit mitigations baked into their Operating System. If you're still running Windows 7 you may want to take a look at running the latest version of Microsoft's EMET to add additional exploitation mitigations.

Stay tuned to my next post where I'll explore what Apple could do to improve this situation.